Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Beta Systems' Identity Management Suite facilitates access to corporate information assets through its ability to streamline security processes and reduce help desk costs. For an overview of the SAM Jupiter(r) Identity Management solution -- and topics such as provisioning, single sign- on, and role-based administration -- visit http://www.sans.org/info/2111 for a FREE whitepaper.

SANS 2007 (SANS' biggest annual conference, San Diego Mar. 29-Apr. 6) just opened for registration. SANS annual conferences stand out from all other programs because of the multitude of learning opportunities in one place (51 courses and lots of exhibits and BOFs) http://www.sans.org/sans2007/

"Fantastic! Ton's of information. My mind is now Jello- I'll be back next year" Kurt Danielson, National Marrow Donor Program

"My 4th SANS conference! Each time the instructors are top-notch and I come away amazed and educated." Bill Wildprett, Washington State CTED

"This conference really taught me the skills I needed to immediately improve the processes where I work." Karissa Truitt, AT&T Government Solutions

TOP OF THE NEWS

Network Attack, Attributed to China, Disables Naval War College (30 November 2006)

US Navy officials reported that the Naval War College computers were taken off line because of intrusions suspected of being carried out by Chinese hackers. The school trains senior military officers in tactics and runs war games. Computers are being investigated to determine the extent of the intrusion. -http://washingtontimes.com/national/20061130-103049-5042r.htm-http://www.fcw.com/article96957-11-30-06-Web[Editor's Note (Pescatore): Ah, the delicious irony of it all. Sort of like the local high school paintball team taking over the local police academy pistol range. ]

Christopher Soghoian, the Indiana University graduate student who placed a phony airline boarding pass generator on his web site, will not face legal repercussions. Soghoian intended his site to demonstrate weaknesses in no-fly lists. Authorities did not feel he had performed a beneficial service through his actions, but were convinced that he intended no harm. Earlier this fall, Soghoian was ordered to remove the generator from his site; at that time, authorities also searched his home and seized some of his property. -http://www.theregister.co.uk/2006/11/29/no_fly_spy_cleared/print.html[Editor's Note (Pescatore): Basically, every PC includes a phony airline boarding pass generator (Paint/McDraw/etc) so there was definite over-reaction; but by posting the program on his web site, the grad student was basically putting a "Kick Me" sign on his back. (Ullrich): To any security professional who has attended SANS Security Essentials, this flaw was old news. So it is kind of amazing how a "proof of concept" heightened awareness in this case. The case shows how important such proofs of concept can be. ]

European Union legislation due to go into effect in late 2007 would require organizations that experience data security breaches to notify regulators and customers if the breach could expose customer data. -http://www.vnunet.com/computing/analysis/2169875/telecoms-providers-reveal-http://www.net-security.org/secworld.php?id=4450[Editor's Note (Pescatore): There is a big difference between breaches that "could" expose customer data and breaches that "do" expose customer data. Imagine your car insurance rates if you had to disclose every driving action you took that "could have" resulted in an accident. (Schultz): The EU and about half the states in the US have passed statutes requiring notification of potentially affected individuals in the case of data security breaches. It is now well past time for the US government to do the same. (Ranum): While I am a fan of using the stick to force companies to take data security seriously, this whole trend toward disclosure legislation strikes me as solving the wrong problem. The problem is not "make sure people know when their data has been compromised" it should be "why is it so easy to perpetrate fraud if you can steal a measly 16-digit number and a name to match it?" By trying to deal with data disclosure, the industry is fighting (and losing, if I may add) the wrong battle. Tackling the question of trustworthy identity is definitely a harder problem, but it'll actually make progress in the long run, whereas chasing disclosure just encourages companies to arbitrage risk. (Honan): While it is disappointing that this legislation is limited to telecom providers and ISPs it should be seen as a positive move. This legislation will complement EU Data Protection legislation which requires companies to protect personal data but does not require notification in the event of a breach. In addition, under the recent EU Data Retention directive ISPs and telecom companies are now required to hold onto vast amounts of personal data. This legislation will hopefully remind those companies of their responsibilities in protecting this information. ]

Digital Copyright Protection May Be Legitimately Circumvented in Certain Cases (27 November 2006)

The Library of Congress' Copyright Office has issued a rule, "Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies," which allows that in certain cases, it is permissible to bypass digital copyright protection. The situations described are those in which copy protections "inadvertently limit access to legally acquired material." Among the cases cited is Sony's use of copyright protection on CDs that created security holes on users' computers. -http://www.fcw.com/article96922-11-27-06-Web-http://a257.g.akamaitech.net/7/257/2422/01jan20061800/edocket.access.gpo.gov/2006/E6-20029.htm[Editor's Note (Pescatore): Three of the six class exemptions are just modification to class exemptions that came out of the Library of Congress 2003 rule that clarified DMCA previously. Seeing how this process works points out how the unintended consequences of technology specific legislation almost invariably swamp the intended consequences. ]************************ Sponsored Links: *****************************

THE REST OF THE WEEK'S NEWS

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Spybot Program Spreads Through Symantec and Windows Flaws (29 November 2006)

The W32.Spybot.SCYR program is spreading through six separate vulnerabilities: five in Microsoft products and one in Symantec's anti-virus software. There are patches available for all the flaws. The bot program has infiltrated computer systems at universities in the US and Australia. The spread of this particular program was brought to light after the Internet Storm Center (ISC) and the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) noticed significant spikes in traffic to port 2967, which is used by the Symantec software. -http://www.theregister.co.uk/2006/11/29/bot_antivirus_windows_flaws/print.html[Editor's Note (Ullrich): While an old flaw, Symantec's versioning scheme and update procedure make patching and validating of the patch level highly confusing to the end user. ]

Bug-a-Day Project Targeting Oracle Cancelled (29 November 2006)

Cesar Cerrudo, the man who promised the Week of Zero-Day Oracle Database Bugs, has cancelled those plans with no explanation beyond saying he had encountered "many problems." Cerrudo expressed disappointment at having made this decision. In the past, similar projects have disclosed a month of browser flaws and a month of kernel flaws; Cerrudo's scuttled project was the first of these to focus on just one software maker. The programs came about because of researchers' frustrations with the way software makers deal with security flaws. Oracle has met with considerable criticism for dragging its feet about fixing vulnerabilities. -http://www.securityfocus.com/brief/371[Editor's Note (Ullrich): Some people may suggest that the project was only a trick to obtain more Oracle 0-day exploits. The project claims that they received a number of Oracle 0-days from other researchers. But none of them will be published. (Ranum): It's fair to mention that so called "vulnerability researchers" have also met with considerable criticism for the way they garner attention by releasing zero-day vulnerabilities. If Oracle is the problem, I don't think Cerrudo's approach is the solution. The vulnerability disclosure game has been playing itself out since the mid 1990's and what do we have to show for it? Better software? A more secure internet? More responsive vendors? Or just a more publicity seekers who can now pass themselves off as "security researchers" for the groupies at DEFCON? (Paller): There is truth in Marcus Ranum's note, but I believe that many people in the security research community have caused important change by illuminating the new attack targets of the criminals, by accelerating positive behavior by *some* vendors, and by increasing the knowledge used by defenders to build more robust security. Without the researchers, many of the most widely used attack vectors would not be understood as well as they are and progress in building defenses would be much slower. (Grefer): Interestingly enough, though, Oracle's customers might be less critical of this vendor's approach, given that they are not departing in swarms to seek out other solution providers. Decision makers are apparently more willing to live with the risk(s), than to vote with their feet, the costs of such "votes" not withstanding. ]

Symantec Update Fixes PHP Buffer Overflow Flaws (29 November 2006)

Symantec has released an update to address PHP buffer overflow vulnerabilities in its Vertias Netbackup 6.0 PureDisk Remote Office Edition. The vulnerabilities could be exploited to take remote control of unpatched systems. Symantec says there does not appear to be exploit code available for the flaws. -http://news.com.com/2102-1002_3-6139260.html?tag=st.util.print

(Ullrich): Note that this patch set fixes yet another Apple airport flaw that leads to arbitrary code execution. I am sure we all remember the outcry a few months back as the existence of such a flaw was first suggested. This is now the third patch to include a fix for this group of vulnerabilities. There is still no credit to the researchers who originally discovered one of these bugs nor a statement (dare I say apology) that they demonstrated a valid problem. ]

According to court records. Devon Townsend, 27, is accused of using a computer belonging to Sandia National Laboratory (her previously employer) at an Air Force base to hack into a cell phone company's Web site to get a number for Chester Bennington, lead singer of the Grammy-winning rock group Linkin Park. The DoD Inspector General filed an affidavit saying she obtained Bennington's cell phone bill, the phone numbers he called and digital pictures taken with the phone. -http://news.yahoo.com/s/ap/20061124/ap_en_mu/people_linkin_park

MISCELLANEOUS

FBI Unresponsive to Taiwan's Requests for Cybercrime Help (29 November 2006)

Lee Hsiang-chen, the director of Taiwan's High-Tech Criminal Centre of the National Police Agency, has said that the FBI has not been responsive to requests to help fight cyber crimes, even when those crimes affect the US. Due to the delicate political nature of the relationship between Taiwan and China, certain US government agencies have no representation on the island; this includes the FBI. Lee said Taiwan's requests for help were directed to the FBI agent at Tokyo's American Embassy. Acting deputy assistant director of the FBI's cyber crime division Raul Roldan, "promised to look into the problem." -http://www.smh.com.au/news/Technology/Official-FBI-Unresponsive-to-Taiwan/2006/11/29/1164476244714.html[Editor's Note (Ullrich): This is not the first time Taiwan has cried "cyberterror" when a system that hasn't been patched in years is getting hijacked by Chinese elementary school kids. There may be some organized government-sponsored hacking going on, but it is lost in the noise. In some cases, Chinese network administrators worked with their Taiwanese counterparts to warn them of some upcoming attacks. ]

Security Breaches Reach Jeopardy TV Show

Contributing Editor James Murray writes: You know things are interesting in the security industry when security breaches get their own category on Jeopardy. I was watching Jeopardy last week, I think it was a repeat. There was a category called Record Losses in 2005. I initially thought that it would be about financial losses but it turned out that every question dealt with companies that lost sensitive information. Here were the answers and questions. 1. A computer with 98,000 names and ssns was stolen from this oldest campus of the Univ. of Calif. - What is Berkeley? 2. Named for a sport that embodies high society, this Ralph Lauren Co. was hacked for 180,000 credit-card numbers. - What is Polo? 3. This company that owns HBO & Turner Broadcasting lost a backup tape with 600,000 names and ssns. - What is Time Warner? 4. Data on 4 million customers were lost by this group formed by a 1998 merger with Travelers. - What is Citigroup? 5. A medical group lost 185,000 personal & medical records in this city, the seat of Santa Clara County. - What is San Jose?

US Warns Of Possible Qaeda Financial Cyber Attack (30 November 2006)

The Department of Homeland Security warned that al Qaeda may be planning cyber attacks on banking and financial institutions. The warning described possible denial of service attacks to be carried out during December through what the al Qaeda web site called "the infidel's new year.", -http://money.cnn.com/2006/11/30/news/economy/al_qaeda/-http://www.alertnet.org/thenews/newsdesk/N30222160.htm[Editor's Note (Pescatore): Most banks have already been hit by denial of service attacks and and the smart ones have obtained DoS mitigation services. A quote from the Reuter's article: "The Department of Homeland Security confirmed an alert had been distributed but said there was no reason to believe the threat was credible." I think it would be a really good idea if DHS refrained from issuing alerts about non-credible threats. (Ranum): Reading the article, it appears that DHS issued the alert because someone said "it's coming" and in the COMPLETE ABSENCE OF ANY EVIDENCE didn't want to get blamed if something actually did happen - so they issued an alert. That is just SO lame. (Ullrich): From what I can tell so far, this is less a case of DHS/Cert crying 'wolf', but of some journalist looking too hard for a story where there was none. A "Jihadist" web site had a statement encouraging such attacks. As described by DHS, it was "inspirational". I guess something along the lines of "Let's attack US banks. Wouldn't that be great". In a threat assessment distributed to the financial sector, DHS noted this message and asked Banks to pay attention and report any related incidents (I don't have the exact text, but was told that this was the message). Now some "hack" (not hacker) got a hold of this report... once the story was a "breaking news alert" on foxnews.com, all the other outlets played catch up and tried to find the non-existing story. Of course they had to do so fast, and fact checks don't help to get the story out fast. ]=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/